[Bug]: hull.js Code Injection Vulnerability

[Rey-Wang]

Describe the bug / 问题描述

could we upgrade to the latest version? also, new version of hull.js is not hosted on npm

Since version 1.0.7 this library is not hosted on npmjs.com, but you can use GitHub URL as a dependency, e.g.:

"dependencies": {
        "hull.js": "andriiheonia/hull#semver:^1.0.10"
    }

Reproduction link / 复现链接

No response

Steps to Reproduce the Bug or Issue / 重现步骤

No response

G6 Version / G6 版本

🆕 5.x

OS / 操作系统

• macOS
• Windows
• Linux
• Others / 其他

Browser / 浏览器

• Chrome
• Edge
• Firefox
• Safari (Limited support / 有限支持)
• IE (Nonsupport / 不支持)
• Others / 其他

[Aarebecca]

Would you be willing to contribute to update the version of this dependency?

[Rey-Wang]

@Aarebecca #6609

[Rey-Wang]

@Aarebecca 既然我们不想引入 github link 的库，是否有其他的替代库能避免这个库注入漏洞的问题？

[Aarebecca]

@Rey-Wang 也许可以考虑将该库的源码拷贝至 G6 内部

[andriiheonia]

Hello, this library was created more than 10 years ago. It is deprecated and not maintained, I would not recommend using it. I’d suggest to search for alternatives.

[Crystal-RainSlide]

Some alternatives:

• https://github.com/mapbox/concaveman
• https://github.com/markroland/concaveHullJS
• https://turfjs.org/docs/api/concave

[YuLingCheng]

Hello! Could we re-open this issue?
I see there is only one usage of this library.
Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

[Crystal-RainSlide]

@YuLingCheng : Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

Should be just: gather alternatives, check them for robustness, compatibility, and performance, then replace hull.js with the best alternative

[zhongyunWan]

Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

You can conduct research on the libraries that are closest in capabilities to hull.js. You can consider several factors:

1. whether the functions meet the requirements
2. the size of the package
3. and whether the community is active.

[eliziebluiz]

Any news on defining the hull.js replacement?

[zhongyunWan]

@Rey-Wang 也许可以考虑将该库的源码拷贝至 G6 内部

It has already been in PR. For details, please refer to: #6805

[Crystal-RainSlide]

A typed copy of hull.js is better. However, since the author don't recommend using it any more + potential security risks, an existing alternative can be an instant upgrade than hull.js, and would be much easier for future maintainace. (Unless you are going to fix & improve hull.js to your own liking)

• For performance, concaveman is faster,
• Size-wise, @markroland/concave-hull is the smallest,
• concave in Turf.js is the most maintained package so far.

[Rey-Wang]

@zhongyunWan may I ask when we will release the fix?